Hackers eyeing Kazakhstan as a safe haven

The government has no clear strategy to address the threat.

A hacker group is hijacking personal computers in Kazakhstan to attack banks around the world. (David Trilling)

Imagine a small town in the middle of Kazakhstan’s steppes. An elderly lady is speaking to her grandson over Skype. He moved to the big city for university.

“Come home for the holidays. I’ll make you beshbarmak,” the grandmother says.

“Ok then, I will,” the young man says.

As the woman shares some gossip and asks if her grandson is making sure to wrap up warm, her laptop is unbeknownst to her performing a series of illicit operations. Money is being spirited out of a bank account halfway across the planet.

This is not an implausible scenario if warnings from Arman Abdrasilov, director of the Astana-based Center for Cyberattack Analysis and Research, or TsARKA in its Russian-language acronym, are close to the mark.

“One of the world’s most dangerous hacker groups, Cobalt, which specializes in hacking into bank accounts, is moving into Kazakhstan,” Abdrasilov said.

When TsARKA raised the alarm, which it issued earlier this year on the back of research done by Moscow-based cybersecurity company Positive Technologies, it caused a few ripples but has generated little by way of a visible response from the authorities.

The government should probably be concerned, however.

According to online security company Group-IB, the Cobalt group, which emerged around 2013, targeted Russian banks with phishing emails containing programs that would enable them to gain access to password-protected archives. That was the first step toward gaining remote control of ATMs, which would then spit out cash to associates.

Positive Technologies has assessed that the Cobalt gang, which is so-named for the malignant software it has used to gain access to targeted mainframes, has since 2017 branched out from its traditional areas of operation, in Eastern Europe and Southeast Asia, to financial institutions in Europe and North America.

The European Union Agency for Law Enforcement Cooperation, or Europol, believes the Cobalt gang has targeted banks in more than 40 countries, causing the financial industry losses of more than 1 billion euros ($1.1 billion). In 2017 alone, Cobalt carried out more than 20 attacks on 240 Russian financial institutions and stole more than $15 million, the Russian Central Bank revealed in February.

When Abdrasilov talks about Cobalt finding a new home in Kazakhstan, he is not suggesting that any of its members would physically relocate there. Instead, vulnerable computers in the country would be hacked and used remotely as a smokescreen for mounting attacks on bank servers.

Abdrasilov says security experts have recorded a spike in the number of computers in Kazakhstan being hijacked by Cobalt. When $81 million was stolen from the Bangladesh Bank in February 2016, it was done in part through hacked servers located in Kazakhstan, he says.

Kazakhstan’s own banks have been targeted too. In 2017, six lenders were hit with phishing attacks, wherein bank employees unwittingly compromise their institution’s security by clicking on malicious links in emails.

Yevgeny Nozikov, an IT specialist at Alfa-Bank, one of the institutions hit, told Eurasianet that Kazakhstan’s banks were ill-prepared. In this series of attacks, the hackers sought their reward in the form of a ransom to be paid in exchange for IT systems being unblocked.

Abdrasilov said that although Kazakh banks lost a lot of money during these attacks, they have said little publicly about the episode for fearing of tainting their reputations.

This three-wise-monkeys behavior is making Kazakhstan something of a haven.

“It used to be that they put their management centers in Europe and Russia,” said Abdrasilov, referring to the hacked servers used as proxy platforms for attacks. “Now they have brought these to our countries.”

Law enforcement officials, meanwhile, appear either unable or unwilling to address the matter.

Last year, Yevgeny Yemelyanov, head of the State Technical Service, a body operating under the aegis of the National Security Committee, or KNB, was cited by Sputnik news agency as saying that there were more than 79,000 “computer incidents” in Kazakhstan from 2011 to 2017. A State Technical Service specialist told Eurasianet that those incidents could include anything from successful hacks into bank IT systems to phishing emails.

Repeated written requests from Eurasianet to the National Security Committee for clarifications and a comment on this story went unanswered.

In January 2015, a renewed version of the Criminal Code envisioned harsher penalties for cybercrime, but that appears to have had little impact. Law enforcement forces concede that fewer than 3 percent of online crimes are solved.

Speaking on the sidelines of a conference last year, Lyazzat Temirzhanova, a researcher at the General Prosecutor’s Office, lamented to reporters that there is a lack of police personnel skilled in dealing with cybercrime.

The most high-profile criminal cases for online activity involve instances of people accused of propagating hatred or extremism through the internet.

Rather than tackling the problem as a proliferation of criminal conspiracies, the government’s strategy has been to conceive of protecting the nation’s online resources in quasi-conventional military terms. Last year, the Defense Ministry formed a monitoring system called Kazakhstan Cyber-Shield, which is intended to serve as an early warning alert when government and private entities come under assault.

In outlining some features of the Cyber-Shield strategy, deputy KNB chief Daulet Yergozhin said in March that the system would enable IP addresses to be blocked and for internet connectivity to be suspected altogether in some regions, as and when the situation warrants.